Don't link sftp, sftp-server or scp with libcrypto
Darren Tucker
dtucker at dtucker.net
Tue Jul 12 23:18:31 AEST 2022
Hi.
This applies on top of my previous patch cleaning up libcrypt and stops
linking scp, sftp and sftp-server against libcrypto. Why do this?
Well for one reason these components sometimes get used independently
of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
it'd be nice if I could have sftp on space constrained devices without
the currently-required but not strictly necessary additional libraries.
The same thing can be done with zlib but that's the next patch.
diff --git a/Makefile.in b/Makefile.in
index 3c285682..338976c8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -49,6 +49,7 @@ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
PICFLAG=@PICFLAG@
LIBS=@LIBS@
+CRYPTOLIBS=@CRYPTOLIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHDLIBS=@SSHDLIBS@
@@ -208,34 +209,34 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CRYPTOLIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
- $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(LIBFIDO2)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CRYPTOLIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
diff --git a/configure.ac b/configure.ac
index 7bb1d711..9a18e8dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2696,8 +2696,11 @@ AC_ARG_WITH([ssl-engine],
]
)
+CRYPTOLIBS=""
+nocrypto_saved_LIBS="$LIBS"
if test "x$openssl" = "xyes" ; then
- LIBS="-lcrypto $LIBS"
+ CRYPTOLIBS="-lcrypto"
+ LIBS="$CRYPTOLIBS $LIBS"
AC_TRY_LINK_FUNC([RAND_add], ,
[AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
AC_CHECK_HEADER([openssl/opensslv.h], ,
@@ -2860,7 +2863,6 @@ if test "x$openssl" = "xyes" ; then
],
[
AC_MSG_RESULT([no])
- saved_LIBS="$LIBS"
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
@@ -2868,10 +2870,10 @@ if test "x$openssl" = "xyes" ; then
[[ ERR_load_crypto_strings(); ]])],
[
AC_MSG_RESULT([yes])
+ CRYPTOLIBS="$CRYPTOLIBS -ldl"
],
[
AC_MSG_RESULT([no])
- LIBS="$saved_LIBS"
]
)
]
@@ -3263,25 +3265,6 @@ AC_CHECK_FUNCS([ \
arc4random_uniform \
])
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([iaf], [ia_openinfo], [
- LIBS="$LIBS -liaf"
- AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
- AC_DEFINE([HAVE_LIBIAF], [1],
- [Define if system has libiaf that supports set_id])
- ])
-])
-LIBS="$saved_LIBS"
-
-# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([crypt], [crypt], [
- LIBS="-lcrypt $LIBS"
- SSHDLIBS="-lcrypt $SSHDLIBS"
-])
-AC_CHECK_FUNCS([crypt])
-LIBS="$saved_LIBS"
-
### Configure cryptographic random number support
# Check whether OpenSSL seeds itself
@@ -3310,6 +3293,8 @@ if test "x$openssl" = "xyes" ; then
]
)
fi
+LIBS="$nocrypto_saved_LIBS"
+AC_SUBST([CRYPTOLIBS])
# PRNGD TCP socket
AC_ARG_WITH([prngd-port],
@@ -3399,6 +3384,24 @@ else
AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
fi
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([iaf], [ia_openinfo], [
+ LIBS="$LIBS -liaf"
+ AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
+ AC_DEFINE([HAVE_LIBIAF], [1],
+ [Define if system has libiaf that supports set_id])
+ ])
+])
+
+# Check for crypt() in libcrypt. If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+ LIBS="-lcrypt $LIBS"
+ SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
# Check for PAM libs
PAM_MSG="no"
AC_ARG_WITH([pam],
@@ -5635,6 +5638,9 @@ echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
echo " Libraries: ${LIBS}"
+if test ! -z "${CRYPTOLIBS}"; then
+echo " +crypto: ${CRYPTOLIBS}"
+fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
diff --git a/scp.c b/scp.c
index da07e64e..f9ca5d39 100644
--- a/scp.c
+++ b/scp.c
@@ -455,8 +455,6 @@ main(int argc, char **argv)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
- seed_rng();
-
msetlocale();
/* Copy argv, because we modify it */
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d36..2c70f89b 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
@@ -42,8 +42,6 @@ main(int argc, char **argv)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
- seed_rng();
-
if ((user_pw = getpwuid(getuid())) == NULL) {
fprintf(stderr, "No user found for uid %lu\n",
(u_long)getuid());
diff --git a/sftp.c b/sftp.c
index c880f166..939b8dc0 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2406,8 +2406,6 @@ main(int argc, char **argv)
sanitise_stdfd();
msetlocale();
- seed_rng();
-
__progname = ssh_get_progname(argv[0]);
memset(&args, '\0', sizeof(args));
args.list = NULL;
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list